Exchange 2013 with Rights Management Connector (Part 2)
If you would like to read the other parts in this article series please go to
Configuring RMS Connector
Now that we have our RMS Connector installed, it is time to configure it. As I mentioned in the first article, in this article series we will go through the following steps:
- Installing RMS Connector (already discussed);
- Configuring RMS Connector;
- Configuring Exchange 2013 to use the RMS connector (discussed in part 3 of this article series);
- Protecting information (discussed in part 3 of this article series).
So let us get started on step 2.
Authorizing Exchange to use RMS Connector
Now that we have installed our RMS connector server(s), what we need to do next is to authorize our servers (in this case Exchange) to use the RMS connector. To do this, we run the RMS connector administration tool and add entries to the list of allowed servers. We can achieve this by selecting Launch connector administration console to authorize servers at the end of the Rights Management connector Setup wizard, or by running it separately from the wizard:
Double-click the Microsoft RMS connector icon on the Desktop:
Figure 2.1: Microsoft RMS connector desktop icon
On the Microsoft RMS administrator credentials page, enter the credentials that you used to install the connector and click Sign In:
Figure 2.2: Microsoft RMS administrator credentials screen
On the Servers allowed to utilize the connector page, click Add:
Figure 2.3: Servers allowed to utilize the connector screen
When authorizing servers, be aware of the following:
- Servers that you add will be granted special privileges. All servers that you specify and are configured as Exchange servers will be granted SuperUser privileges for all the content for this RMS tenant. To avoid the security risk of elevation of privileges, be careful not to grant this privilege to accounts that are not going to be used by your organization’s Exchange servers. All servers configured as SharePoint servers or file servers that use File Classification Infrastructure [FCI] will be granted regular user privileges;
- You can add multiple servers as a single entry by specifying an Active Directory [AD] security or distribution group, or a service account that is used by more than one server. When you use this configuration, the group of servers will share the same RMS certificates and will all be considered owners for content that any of them have protected. To minimize administrative overheads, it is recommended that you use this configuration of a single group rather than individual servers to authorize Exchange servers or a SharePoint server farm;
- For servers that run Exchange, we must specify a security group. As such, the default Exchange Servers group that Exchange automatically creates is the best option as any new Exchange servers are automatically added to this group.
Click Browse... and add the Exchange Servers security group:
Figure 2.4: Allow a server to utilize the connector screen
On the Servers allowed to utilize the connector page, confirm your selection and then click Close:
Figure 2.5: Servers allowed to utilize the connector screen
It goes without saying that the availability of the RMS connector is very important. To ensure that it is highly available, we should deploy two or more RMS connector instances. After we have installed the second or final instance of the RMS connector, we define a connector URL server name and configure a load balancing system.
The connector URL server name can be any name under a namespace that we control. For example, we could create an entry in DNS for rms.letsexchange.com and configure this entry to use an IP address in a load balancing system. There are no special requirements for this name and it does not need to be configured on the connector servers themselves.
It is not recommended to change this name after we have configured Exchange or SharePoint servers to use the connector, because we would then have to clear these servers of all Information Rights Management [IRM] configurations and reconfigure them.
We can use any IP-based load balancer for this purpose, which includes Network Load Balancing [NLB] feature in Windows Server. Use the following settings to configure the NLB cluster:
- Ports: 80 (for HTTP) or 443 (for HTTPS);
- Affinity: None;
- Distribution method: Equal.
Configuring RMS Connector to use HTTPS
Although the use of TLS or SSL is optional for the RMS connector, it is recommended for any HTTP-based security-sensitive service. This configuration authenticates the servers running the connector to our Exchange servers that use the connector. In addition, all data that is sent from these servers to the connector is encrypted.
To enable the RMS connector to use TLS, on each server that runs the RMS connector, install a server authentication certificate that contains the name that you will use for the connector. In my example, the RMS connector name defined in DNS is rms.letsexchange.com, so I need to deploy a server authentication certificate that contains rms.letsexchange.com in the certificate subject as the common name, or specify rms.letsexchange.com in the certificate alternative name as the DNS value (the certificate does not have to include the name of the servers!). Then in IIS, bind this certificate to the Default Web Site.
If you use the HTTPS option, ensure that all servers that run the connector have a valid server authentication certificate that chains to a root certification authority [CA] that your Exchange servers trust. In addition, if the CA that issued the certificates for the connector servers publishes a certificate revocation list [CRL], the Exchange servers must be able to download this CRL.
To check that everything is ok with the certificate (and the load balancing solution), from a web browser navigate to https://<connector_address>/_wmcs/certification/servercertification.asmx, replacing <connector_address> with the service’s FQDN. A successful connection displays a ServerCertificationWebService page:
Figure 2.6: Testing RMS Connector using HTTPS
Configuring RMS Connector Web Proxy
If our RMS connector server is installed in a network that does not have direct Internet access and requires manual configuration of a web proxy server for outbound Internet access, we must update its registry:
- On the server(s) running the RMS connector, open a registry editor such as Regedit;
- Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AADRM\Connector;
- Add the string value of ProxyAddress and then set the Data for this value to be http://<ProxyOrIPaddress>:<ProxyPort> (for example: http://proxy.letsexchange.com:8080);
- Close the registry editor, and then restart the server or perform an IISReset command to restart IIS.
Install RMS Connector Administration Tool
As I have mentioned in the previous article, it is possible to run the RMS connector administration tool from a computer that does not have the RMS connector installed. However, all this gives us is the option to control the list of servers authorized to use the connector (well, that is the only configuration on the RMS connector’s server anyway).
To install the administration tool, the computer/server needs to meet the following requirements:
- A physical or virtual computer running Windows Server 2008 R2 or above (Server 2012 included), Windows 7 or above (Windows 8 included);
- At least 1 GB of RAM;
- A minimum of 64 GB of disk space;
- Access to the Internet.
To install the RMS connector administration tool, run one of the following files:
- For a 32-bit computer: RMSConnectorAdminToolSetup_x86.exe;
- For a 64-bit computer: RMSConnectorSetup.exe.
If you have not already downloaded these files, you can do so from the Microsoft Download Center.
To install the 64-bit version:
- Double-click the RMSConnectorSetup.exe installation file;
- On the Welcome page, select Install Microsoft Rights Management connector administration tool on this computer and then click Next:
Figure 2.7: RMS Admin Tools Welcome screen
- Select I accept the terms in the License Agreement and click Next:
Figure 2.8: RMS Admin Tools License screen
- Click Install to start the installation process:
Figure 2.9: RMS Admin Tools Ready to Install screen
- Once installation is complete, click Finish:
Figure 2.10: RMS Admin Tools Installation Complete
- On the Microsoft RMS administrator credentials page, enter the credentials that you used to install the connector and click Sign In:
Figure 2.11: RMS Connector Credentials
- The Servers allowed to utilize the connector page appears, listing all the servers we previously configured:
Figure 2.12: Servers allowed to utilize the connector screen
In this second part of this articles series, we completed the configuration of our RMS Connector. In the next and final part, we will go through the process of configuring Exchange to use the RMS connector.
If you would like to read the other parts in this article series please go to